Elgato_dark/fleet
1
0
Fork 0
mirror of https://github.com/fleetdm/fleet synced 2026-05-23 17:08:53 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 83

Update arp_cache.yml (#19254)

Browse source 
Updates to Fleet Table Docs per
https://github.com/fleetdm/fleet/issues/16993

---------

Co-authored-by: Eric <eashaw@sailsjs.com>
This commit is contained in:
Brock Walters 2024-05-24 15:05:57 -04:00 committed by GitHub
parent 87225ece32
commit 4545e960ae
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
1 changed files with 17 additions and 12 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

29
schema/tables/arp_cache.yml
View file

@ -1,23 +1,28 @@
name: arp_cache
examples: >-
List the content of the ARP cache.
description: The Address Resolution Protocol (ARP) cache maps IP addresses to MAC addresses in the network stack on Linux, macOS & Windows.
examples: |-
Basic query:
```
SELECT address, interface, mac FROM arp_cache;
```
On systems located in an office or datacenter, you can use this to watch for network attacks by checking for gateway IPs that do not have the expected MAC address. This could indicate an [ARP spoofing](https://en.wikipedia.org/wiki/ARP_spoofing) attack, in which an attacker that controls a system on the LAN attempts to funnel all remote traffic through it so they can inspect it.
Compare gateway IP addresses (which are typically routers) to a list of known MAC addresses:
```
SELECT * FROM arp_cache WHERE address IN (INSERT_GATEWAY_IPS) AND mac NOT IN (INSERT_EXPECTED_MAC_ADDRESSES);
```
notes: >-
* The first six digits of a MAC address is the [Organizationally Unique
Identifier
(OUI)](https://en.wikipedia.org/wiki/Organizationally_unique_identifier).
notes: |-
The first six digits of a MAC address are the known as the [Organizationally Unique Identifier](https://en.wikipedia.org/wiki/Organizationally_unique_identifier)
* You can lookup the manufacturer and model via the MAC address using a tool like [wireshark OUI lookup](https://www.wireshark.org/tools/oui-lookup.html).
Manufacturer and model information can be looked up by MAC address using [Wireshark OUI Lookup](https://www.wireshark.org/tools/oui-lookup.html)
OUI is used to populate manufacturer information in applications like [Wi-Fi Explorer](https://www.intuitibits.com/products/wifiexplorer/)
[ARP Cache](https://en.wikipedia.org/wiki/ARP_cache)
Monitoring the ARP cache is useful for maintaining network integrity & security. Querying data from this table can help to:
- Find network anomalies
- Troubleshoot network connectivity
- Uncover [ARP Spoofing](https://en.wikipedia.org/wiki/ARP_spoofing)